Hi Sam,
My company is one of the primary providers for Cloudflare, and was one
of the first to be attacked over the current Spamhaus/Cyberbunker
debacle. Your latest piece is interesting, and while a lot of the hype
and fear over these attacks IS IMHO unjustified, there are a few major
details that you're missing.
First off I can confirm a few basic facts, namely that we really did
receive a ~300 Gbps attack directed at Cloudflare, and later
specifically targeted at pieces of our core infrastructure. This is
definitely on the large end of the scale as far as DoS attacks go, but
I wouldn't call it "record smashing" or "game changing" in any special
way. It's just another large attack, maybe 10-15% larger than other
similar ones we've seen in the past, and I'm certain we will continue
to see even larger ones in the future as global traffic levels
increase. What made this particular attack notable is where it was
targeted, which greatly increased the number of people who noticed it.
In defense of the claims in other articles, there is a huge difference
between "taking down the entire Internet" and "causing impact to
notable portions of the Internet". My company, most other large
Internet carriers, and even the largest Internet exchange points, all
deliver traffic at multi-terabits-per-second rates, so in the grand
scheme of things 300 Gbps is certainly not going to destroy the
Internet, wipe anybody off the map, or even show up as more than a blip
on the charts of global traffic levels. That said, there is absolutely
NO network on this planet who maintains 300 Gbps of active/lit but
unused capacity to every point in their network. This would be
incredibly expensive and wasteful, and most of us are trying to run
for-profit commercial networks, so when 300 Gbps of NEW traffic
suddenly shows up and all wants to go to ONE location, someone is going
to have a bad day.
But, having a bad day on the Internet is nothing new. These are the
types of events we deal with on a regular basis, and most large network
operators are very good at responding quickly to deal with situations
like this. In our case, we worked with Cloudflare to quickly identify
the attack profile, rolled out global filters on our network to limit
the attack traffic without adversely impacting legitimate users, and
worked with our other partner networks (like NTT) to do the same. If
the attacks had stopped here, nobody in the "mainstream media" would
have noticed, and it would have been just another fun day for a few
geeks on the Internet.
The next part is where things got interesting, and is the part that
nobody outside of extremely technical circles has actually bothered to
try and understand yet. After attacking Cloudflare and their upstream
Internet providers directly stopped having the desired effect, the
attackers turned to any other interconnection point they could find,
and stumbled upon Internet Exchange Points like LINX (in London),
AMS-IX (in Amsterdam), and DE-CIX (in Frankfurt), three of the largest
IXPs in the world.
An IXP is an "interconnection fabric", essentially just a large
switched LAN, which acts as a common meeting point for different
networks to connect and exchange traffic with each other. Every member
connects a router, and is given a single IP address out of a common IP
block to facilitate the interconnection. For example, one of LINX's
main blocks is a single /22, and every member has an IP within that
block. When two networks want to connect with each other, they set up a
BGP session between their IPs, and the traffic is switched across the
LAN just like it would be in any other switched network.
The downside of this architecture is that these IP blocks are real,
routable IPs, which can sometimes be reached from the outside world.
It's usually against the rules of the individual IXPs to redistribute
those blocks into the global table, but it's a common misconfiguration
that still happens all the time, meaning anyone on the Internet can
send traffic to those router IPs. When one of these IP addresses shows
up in traceroute and attackers target it, it results in a large amount
of traffic being unexpectedly dumped into this IXP LAN. The "quick fix"
for this is for the IXP operators to chase down everyone who is
redistributing the IXP block to the global table.
Note that the vast majority of global Internet traffic does NOT travel
over these types of public IXPs, but rather goes via direct private
interconnections between specific networks. Typically IXP traffic
represents more of the "long tail" of networks who are peering with
each other, i.e. they're used by a large number of generally smaller
networks, or by larger networks who are looking to offload some of
their "lower speed" interconnections. Collectively it still adds up to
a lot of traffic, but the really "big" pipes that carry most of the
Internet traffic are all private point-to-point links (called PNIs).
So, what you actually saw here was an attack affecting a large number
of smaller networks, with something which was really a completely
unrelated and unintended side-effect of the original attack. It's not
going to take down the Internet, but it's certainly a recipe for having
a lot of people talking about it.
Hopefully that clears up a bit of the situation.
-Richard A Steenbergen
